Emergency vs Privacy

By cliangNo Comments
It is common to leave contact information in passport, contact card in wallet such that under emergency situation, others could notify your family member or significant half. This will be helpful if you are travelling alone, or aged. But how do we eliminate scam? Our contact information (email, phone number) is perhaps widely shared when register for web service as 2-step authentication, product registration for warranty, leave as call back for inquiry results, or our friends' devices carrying our contacts are compromised. There is a little trick to beat against scammer by establishing a one-way trust. Put a preset phase in the emergency contact card. Pre-arrange this with your contact(s) the caller must quote this preset phase to prove the contact info is obtained from this emergency contact card but not elsewhere. ...
Read More

Bag Tag

By cliangNo Comments
It is common practice to tag your checked bag or even hand carried bag with a tag. How are you going to fill the info there? In old days, mobile communication device is rare. If you cannot find the bag at baggage claim area, you rely on transportation service provider to contact you and deliver the bag per the stated address even though you report them about lost bag. Therefore, you have to provide the accurate address and contact information. Now, the scenario is reversed. If you cannot find your checked bag, you contact the transportation service provider to locate the lost bag with ticket number assigned at check in and tell them where to send to and how to reach you. Therefore, the bag tag shall only serve an identification means and avoid putting too much privacy information (address, contact number, email) there. In addition, the tag attached to the checked bag has RFiD to track its routing through out the entire...
Read More

Renewable Energy

By cliangNo Comments
It is one of the decarbonization means. Investment involves initial plant setup and then recurring operating cost. There is no need for fuel except resources to manage the plant properly. The entire ecosystem will need site survey, i.e. how many days with sufficient wind are there in a year and the strength, physical security from sabotage of the plant and then digital security against cyber attack - bring down the grid, damage the equipment, scheduled plant maintenance. This shall best have a Hazard and Operability (HAZOP) exercise that include everything that most cybersecurity practitioners are only focusing on cybersecurity, or technical controls. If they do, they are incompetent for the job. ...
Read More

Bunkers

By cliangNo Comments
Bunker at Diamond Head State Monument Bunkers are fortified physical infrastructure to withstand attack. However, there are side channels required for supplies, reconnaissance, defense or attack the attackers. Similarly the firewall in cyber world takes the same analogy. It is a network perimeter device to control network traffic but it requires ruleset management, health check thru the network rather than doing this locally. This will open up side channels that could be vulnerable to cyber attack if configured improperly. Best practices are to review firewall configuration (rulesets), event logs (permitted or dropped traffic) regularly. Automated tool is required as human check is nearly impossible. Log parser via SOC (Security Operation Centre) will associate network traffic from different zones providing a holistic view for better visibility, identify early sign of compromise as threat vectors are conducting reconnaissance to understand the system landscape, vulnerable component before choosing the appropriate attack kit. ...
Read More

Tora! Tora! Tora!

By cliangNo Comments
Lightning Attack This historical event is unexpected attack. But in cyber world, unexpected attack is always expected. It ranges from threat actors trying to penetrating into the organization network thru various means like BEC (Business Email Compromise phishing), insecure Internet-facing resources, zero-day exploits to deepfake. We can only protect threats that we know. So, we can't secure every cyber resources? That said, cyber resilience and prompt incident respond are vital to sustain business operations. All these should be the joint development among business and cybersecurity units within the organization in periodic review and drills for improvement. ...
Read More

Security By Trust

By cliangNo Comments
In physical world, we trust this glass roof is safe and secure to walk on because there are underlying processes to sustain its safety: Regular inspection and maintenance Regulatory requirement for license issue and renewal 3rd party insurance etc. In addition in building this infrastructure, the design will cater for the intended loading with safety margin, wind speed, anchor points stability plus build it per engineering standard to ascertain the quality. We will therefore have no doubt and trust these arrangements are in place and safely step on it. In cyber world, things are different. There might be cybersecurity standards as foundation but the design and build will require competent practitioners. Even there is comprehensive verification tests before commissioning, there are always new cyber threats requiring recurring effort to sustain the protection effectiveness. Deception to lurk victim into malicious web site to compromise the device or application will further complicate the situation. Then, how do we stay secure in the cyber world? It's a very...
Read More

Time

By cliangNo Comments
Time is an interesting phenomenon. It dominates everything both in physical and cyber worlds. All living individual or objects are under influence of time: getting aged. All data traffic are regulated with time as base reference for synchronization and handshaking. Everyone has equal amount of time. Time cannot be borrowed nor saved for later use. Time is abstract that cannot be touched nor felt its existence. That said, how do we deal with time? This is really use case based. In time-sensitive action, time is kept down to micro or nano second. Examples are stock trading transaction and racing. In certain case, "coarse" time reference may be used like the illustration that hour indication is sufficient - morning, afternoon, evening or night time. It all depends how time reference is deployed in the use case, and how time measurement is secure to maintain integrity. Inevitably, a comprehensive risk assessment (not just cyber but the business as a whole) is required to understanding risk...
Read More

Protocol

By cliangNo Comments
Protocol requires proper data format and valid ranges in different preset fields per design to work properly. Threat actors are trying to manipulate the different fields and data ranges in order to exploit weakness of underlying process to handle the protocol. Just like the illustrated locks. It allow dual admins to unlock it where each admin has own access key. If a "malicious" admin who does not follow the protocol to make the locks in series but putting them in parallel, then access is denied to other admin because unlock will require both keys at the same time. Therefore, when we talk about security, there are lots of considerations: robustness of the process enforceable by strong technology with people acting honestly and all driven by laws & regulations (or organization policies). Protection is beyond encryption, firewall, system hardening. These are evadable.Most said human is the weakess link. Yes, this is still true but we must include factors like Incompetent cybersecurity practitioners providing recommendations without...
Read More

Freedom

By cliangNo Comments
This is relatively speaking. Freedom is granted to certain extend. In physical world, what stops us doing bad things? It's the laws & regulations that stipulate us behave properly. For religious, there are further moral obligations to follow, say, The Ten Commandments. Then how about in the space of digital world? We are all interacting with others in the metaverse. Cyber crimes are more complex to settle because it is cross jurisdiction. We are free to use many cyber resources but that does mean we can abuse. Network activities are mostly traceable. We have to exercise the proper behaviors, be suspicious of unknown requests, learn from others' incident in keeping us as well as our connected peers safe (secure). ...
Read More